Next | Query returned 29 messages, browsing 1 to 10 | Previous

History of commit frequency

CVS Commit History:


   2018-06-12 19:50:29 by Benny Siegert | Files touched by this commit (102) | Package updated
Log message:
Revbump all Go packages after lang/go update.
   2018-04-27 16:02:41 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
security/vault: Update to 0.10.1.

DEPRECATIONS/CHANGES:

- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
  v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
  and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
  mount can now see information about that mount, such as its type and
  options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
  entities but these would not be able to be used successfully (even locally)
  in replicated scenarios. We have now disallowed entities and groups from
  being created for local mounts in the first place.

FEATURES:

- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
  client IP seen by Vault. See the TCP listener configuration
  page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
  CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
  expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
  modifying only some values in existing data at a K/V path, but uses
  check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
  local to the cluster. This enables performance secondaries to generate and
  consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
  AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
  only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
  mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
  and migration between key and encryption types, such as from AES-CBC to
  AES-GCM, can be performed at the same time (where supported).

IMPROVEMENTS:

- auth/approle: Support for cluster local secret IDs. This enables secondaries
  to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
  identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
  revoke associated tokens, but while the entity is disabled they cannot be
  used.
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
  the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
  concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
  engines will show you the ones you implicitly have access to (because you have
  access to to secrets in those engines)

BUG FIXES:

- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
  mounts
- identity: Fix error preventing authentication using local mounts on
  performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
  pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
  interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
  api calls. This should fix needing "update" capabilites to read IAM
  credentials in the AWS secrets engine
   2018-04-11 17:35:49 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
security/vault: Update to 0.10.0.

SECURITY:

- Log sanitization for Combined Database Secret Engine: In certain failure
  scenarios with incorrectly formatted connection urls, the raw connection
  errors were being returned to the user with the configured database
  credentials. Errors are now sanitized before being returned to the user.

DEPRECATIONS/CHANGES:

- Database plugin compatibility: The database plugin interface was enhanced to
  support some additional functionality related to root credential rotation
  and supporting templated URL strings. The changes were made in a
  backwards-compatible way and all builtin plugins were updated with the new
  features. Custom plugins not built into Vault will need to be upgraded to
  support templated URL strings and root rotation. Additionally, the
  Initialize method was deprecated in favor of a new Init method that supports
  configuration modifications that occur in the plugin back to the primary
  data store.
- Removal of returned secret information: For a long time Vault has returned
  configuration given to various secret engines and auth methods with secret
  values (such as secret API keys or passwords) still intact, and with a
  warning to the user on write that anyone with read access could see the
  secret. This was mostly done to make it easy for tools like Terraform to
  judge whether state had drifted. However, it also feels quite un-Vault-y to
  do this and we've never felt very comfortable doing so. In 0.10 we have gone
  through and removed this behavior from the various backends; fields which
  contained secret values are simply no longer returned on read. We are
  working with the Terraform team to make changes to their provider to
  accommodate this as best as possible, and users of other tools may have to
  make adjustments, but in the end we felt that the ends did not justify the
  means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
  configured locally for policy assignment in a case insensitive fashion by
  default. Existing configurations will continue to work as they do now;
  however, the next time a configuration is written `case_sensitive_names`
  will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
  the core of Vault to ensure consistency across all backends. Since this was
  previously delegated to individual backends, there may be some slight
  differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
  by default at initialization time (it will still be available in `dev`
  mode).

FEATURES:

- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
  features are only available with a supporting version of Vault, but the code
  base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
  flexible versioning of values, check-and-set protections, and more. A new
  `vault kv` subcommand allows friendly interactions with it. Existing mounts
  of the `kv` backend can be upgraded to the new versioned mode (downgrades
  are not currently supported). The old "passthrough" mode is still the
  default for new mounts; versioning can be turned on by setting the
  `-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
  their own configured admin/root credentials, allowing configured credentials
  for a database connection to be rotated immediately after sending them into
  Vault, invalidating the old credentials and ensuring only Vault knows the
  actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
  allows authenticating Azure machines to Vault using Azure's Managed Service
  Identity credentials. See the [plugin
  repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more
  information.
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
  generating secrets to allow access to GCP. See the [plugin
  repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more
  information.
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
  logs can be turned off for specific keys in the request input map and
  response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
  through to backends on a per-mount basis. This is useful in various cases
  when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
  aliases.
- UI auth method support: Enable, disable, and configure all of the built-in
  authentication methods.
- UI (Enterprise): View and edit Sentinel policies.

IMPROVEMENTS:

- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
  operations
- storage/mysql: Allow setting max idle connections and connection lifetime

- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI

BUG FIXES:

- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
  parent prefix entry in the underlying storage backend. These operations also
  mark corresponding child tokens as orphans by removing the parent/secondary
  index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
  with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
  on
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
  on transit keys. Capabilities are now checked when attempting to encrypt /
  decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
  from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
  to view the root of a secret engine. The link now sends them back to the list
  of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
  paths.
- cli: Fix an issue where generating a dr operation token would not output the
  token
   2018-03-30 13:56:27 by Benny Siegert | Files touched by this commit (94) | Package updated
Log message:
Revbump all Go packages after 1.10.1 update.

ok wiz@ for committing during freeze
   2018-03-23 13:00:12 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
security/vault: Update to 0.9.6

DEPRECATIONS/CHANGES:

- The AWS authentication backend now allows binds for inputs as either a
  comma-delimited string or a string array. However, to keep consistency with
  input and output, when reading a role the binds will now be returned as
  string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
  backend, you now must explicitly opt-in by adding a `*` to the end of the
  ARN. Existing configurations will be upgraded automatically, but when
  writing a new role configuration the updated behavior will be used.

FEATURES:

- Replication Activation Enhancements: When activating a replication
  secondary, a public key can now be fetched first from the target cluster.
  This public key can be provided to the primary when requesting the
  activation token. If provided, the public key will be used to perform a
  Diffie-Hellman key exchange resulting in a shared key that encrypts the
  contents of the activation token. The purpose is to protect against
  accidental disclosure of the contents of the token if unwrapped by the wrong
  party, given that the contents of the token are highly sensitive. If
  accidentally unwrapped, the contents of the token are not usable by the
  unwrapping party. It is important to note that just as a malicious operator
  could unwrap the contents of the token, a malicious operator can pretend to
  be a secondary and complete the Diffie-Hellman exchange on their own; this
  feature provides defense in depth but still requires due diligence around
  replication activation, including multiple eyes on the commands/tokens and
  proper auditing.

IMPROVEMENTS:

- api: Update renewer grace period logic. It no longer is static, but rather
  dynamically calculates one based on the current lease duration after each
  renew.
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
  just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
  improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
  algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
  than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
  memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability
  checking

BUG FIXES:

- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
  set
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
  max_lease_ttl configured on the token store mount, truncate it. This matches
  renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
  helper for a particular method
   2018-03-04 16:52:21 by Benny Siegert | Files touched by this commit (95) | Package updated
Log message:
Revbump all Go packages after Go 1.10 update.
   2018-02-27 13:32:35 by Filip Hajny | Files touched by this commit (1)
Log message:
security/vault: Simplify Makefile, enable a basic test target.
   2018-02-27 12:20:42 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
security/vault: Update to 0.9.5

## 0.9.5 (February 26th, 2018)

IMPROVEMENTS:

- auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling
  auth methods.
- secret/database: Add list functionality to `database/config` endpoint
- physical/consul: Allow setting a specific service address
- replication: When bootstrapping a new secondary, if the initial cluster
  connection fails, Vault will attempt to roll back state so that
  bootstrapping can be tried again, rather than having to recreate the
  downstream cluster. This will still require fetching a new secondary
  activation token.

BUG FIXES:

- auth/aws: Update libraries to fix regression verifying PKCS#7 identity
  documents
- listener: Revert to Go 1.9 for now to allow certificates with non-DNS names
  in their DNS SANs to be used for Vault's TLS connections
- replication: Fix issue with a performance secondary/DR primary node losing
  its DR primary status when performing an update-primary operation
- replication: Fix issue where performance secondaries could be unable to
  automatically connect to a performance primary after that performance
  primary has been promoted to a DR primary from a DR secondary
- ui: Fix behavior when a value contains a `.`

## 0.9.4 (February 20th, 2018)

SECURITY:

- Role Tags used with the EC2 style of AWS auth were being improperly parsed;
  as a result they were not being used to properly restrict values.
  Implementations following our suggestion of using these as defense-in-depth
  rather than the only source of restriction should not have significant
  impact.

FEATURES:

- ChaCha20-Poly1305 support in `transit`: You can now encrypt and decrypt
  with ChaCha20-Poly1305 in `transit`. Key derivation and convergent
  encryption is also supported.
- Okta Push support in Okta Auth Backend: If a user account has MFA
  required within Okta, an Okta Push MFA flow can be used to successfully
  finish authentication.
- PKI Improvements: Custom OID subject alternate names can now be set,
  subject to allow restrictions that support globbing. Additionally, Country,
  Locality, Province, Street Address, and Postal Code can now be set in
  certificate subjects.
- Manta Storage: Joyent Triton Manta can now be used for Vault storage
- Google Cloud Spanner Storage: Google Cloud Spanner can now be used for
  Vault storage

IMPROVEMENTS:

- auth/centrify: Add CLI helper
- audit: Always log failure metrics, even if zero, to ensure the values appear
  on dashboards
- cli: Disable color when output is not a TTY
- cli: Add `-format` flag to all subcommands
- cli: Do not display deprecation warnings when the format is not table
- core: If over a predefined lease count (256k), log a warning not more than
  once a minute. Too many leases can be problematic for many of the storage
  backends and often this number of leases is indicative of a need for
  workflow improvements.
- secret/nomad: Have generated ACL tokens cap out at 64 characters
- secret/pki: Country, Locality, Province, Street Address, and Postal Code can
  now be set on certificates
- secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in
  issued certs; allowed values can be set per role and support globbing
- secret/pki: Add a flag to make the common name optional on certs
- secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally,
  properly handle IDNA transformations for these DNS names
- secret/ssh: Add `valid-principles` flag to CLI for CA mode
- storage/manta: Add Manta storage
- ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine.

BUG FIXES:
- api/renewer: Honor increment value in renew auth calls
- auth/approle: Fix inability to use limited-use-count secret IDs on
  replication performance secondaries
- auth/approle: Cleanup of secret ID accessors during tidy and removal of
  dangling accessor entries
- auth/aws-ec2: Avoid masking of role tag response
- auth/cert: Verify DNS SANs in the authenticating certificate
- auth/okta: Return configured durations as seconds, not nanoseconds
- auth/okta: Get all okta groups for a user vs. default 200 limit
- auth/token: Token creation via the CLI no longer forces periodic token
  creation. Passing an explicit zero value for the period no longer create
  periodic tokens.
- command: Fix interpreted formatting directives when printing raw fields
- command: Correctly format output when using -field and -format flags at the
  same time
- command/rekey: Re-add lost `stored-shares` parameter
- command/ssh: Create and reuse the api client
- command/status: Fix panic when status returns 500 from leadership lookup
- identity: Fix race when creating entities
- plugin/gRPC: Fixed an issue with list requests and raw responses coming from
  plugins using gRPC transport
- plugin/gRPC: Fix panic when special paths are not set
- secret/pki: Verify a name is a valid hostname before adding to DNS SANs
- secret/transit: Fix auditing when reading a key after it has been backed up
  or restored
- secret/transit: Fix storage/memory consistency when persistence fails
- storage/consul: Validate that service names are RFC 1123 compliant
- storage/etcd3: Fix memory ballooning with standby instances
- storage/etcd3: Fix large lists (like token loading at startup) not being
  handled
- storage/postgresql: Fix compatibility with versions using custom string
  version tags
- storage/zookeeper: Update vendoring to fix freezing issues
- ui (Enterprise): Decoding the replication token should no longer error and
  prevent enabling of a secondary replication cluster via the ui.
- plugin/gRPC: Add connection info to the request object
   2018-01-30 17:37:35 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.9.3.

## 0.9.3 (January 28th, 2018)

A regression from a feature merge disabled the Nomad secrets backend in 0.9.2.
This release re-enables the Nomad secrets backend; it is otherwise identical to
0.9.2.

## 0.9.2 (January 26th, 2018)

SECURITY:

* Okta Auth Backend: While the Okta auth backend was successfully verifying
  usernames and passwords, it was not checking the returned state of the
  account, so accounts that had been marked locked out could still be used to
  log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
* Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
  the AppRole, AWS, and Cert auth backends would expire when the max TTL for
  the backend/mount/system was hit instead of their stated behavior of living
  as long as they are renewed. This is now fixed; existing tokens do not have
  to be reissued as this was purely a regression in the renewal logic.
* Seal Wrapping: During certain replication states values written marked for
  seal wrapping may not be wrapped on the secondaries. This has been fixed,
  and existing values will be wrapped on next read or write. This does not
  affect the barrier keys.

DEPRECATIONS/CHANGES:

* `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool
  returned by `sys/health` could be misleading since it would be `false` both
  when a cluster was not a DR secondary but also when the node is a standby in
  the cluster and has not yet fully received state from the active node. This
  could cause health checks on LBs to decide that the node was acceptable for
  traffic even though DR secondaries cannot handle normal Vault traffic. (In
  other words, the bool could only convey "yes" or "no" but \ 
not "not sure
  yet".) This has been replaced by `replication_dr_mode` and
  `replication_perf_mode` which are string values that convey the current
  state of the node; a value of `disabled` indicates that replication is
  disabled or the state is still being discovered. As a result, an LB check
  can positively verify that the node is both not `disabled` and is not a DR
  secondary, and avoid sending traffic to it if either is true.
* PKI Secret Backend Roles parameter types: For `ou` and `organization`
  in role definitions in the PKI secret backend, input can now be a
  comma-separated string or an array of strings. Reading a role will
  now return arrays for these parameters.
* Plugin API Changes: The plugin API has been updated to utilize golang's
  context.Context package. Many function signatures now accept a context
  object as the first parameter. Existing plugins will need to pull in the
  latest Vault code and update their function signatures to begin using
  context and the new gRPC transport.

FEATURES:

* **gRPC Backend Plugins**: Backend plugins now use gRPC for transport,
  allowing them to be written in other languages.
* **Brand New CLI**: Vault has a brand new CLI interface that is significantly
  streamlined, supports autocomplete, and is almost entirely backwards
  compatible.
* **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends,
  create and browse roles and certificates, and issue and sign certificates via
  the listed roles.

IMPROVEMENTS:

* auth/aws: Handle IAM headers produced by clients that formulate numbers as
  ints rather than strings [GH-3763]
* auth/okta: Support JSON lists when specifying groups and policies [GH-3801]
* autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues,
  including HA scenarios for some Gemalto HSMs.
  (Enterprise)
* cli: Output password prompts to stderr to make it easier to pipe an output
  token to another command [GH-3782]
* core: Report replication status in `sys/health` [GH-3810]
* physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730]
* physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730]
* plugins: Args for plugins can now be specified separately from the command,
  allowing the same output format and input format for plugin information
  [GH-3778]
* secret/pki: `ou` and `organization` can now be specified as a
  comma-separated string or an array of strings [GH-3804]
* plugins: Plugins will fall back to using netrpc as the communication protocol
  on older versions of Vault [GH-3833]

BUG FIXES:

* auth/(approle,aws,cert): Fix behavior where periodic tokens generated by
  these backends could not have their TTL renewed beyond the system/mount max
  TTL value [GH-3803]
* auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
  existing role update [GH-3843]
* core/sealwrap: Speed improvements and bug fixes (Enterprise)
* identity: Delete group alias when an external group is deleted [GH-3773]
* legacymfa/duo: Fix intermittent panic when Duo could not be reached
  [GH-2030]
   2018-01-02 10:35:44 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.9.1.

DEPRECATIONS/CHANGES:

- AppRole Case Sensitivity: In prior versions of Vault, `list` operations
  against AppRole roles would require preserving case in the role name, even
  though most other operations within AppRole are case-insensitive with
  respect to the role name. This has been fixed; existing roles will behave as
  they have in the past, but new roles will act case-insensitively in these
  cases.
- Token Auth Backend Roles parameter types: For `allowed_policies` and
  `disallowed_policies` in role definitions in the token auth backend, input
  can now be a comma-separated string or an array of strings. Reading a role
  will now return arrays for these parameters.
- Transit key exporting: You can now mark a key in the `transit` backend as
  `exportable` at any time, rather than just at creation time; however, once
  this value is set, it still cannot be unset.
- PKI Secret Backend Roles parameter types: For `allowed_domains` and
  `key_usage` in role definitions in the PKI secret backend, input
  can now be a comma-separated string or an array of strings. Reading a role
  will now return arrays for these parameters.
- SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic
  key method in the SSH backend, the default is now to use 2048-bit keys if no
  specific key bit size is specified.
- Consul Secret Backend lease handling: The `consul` secret backend can now
  accept both strings and integer numbers of seconds for its lease value. The
  value returned on a role read will be an integer number of seconds instead
  of a human-friendly string.
- Unprintable characters not allowed in API paths: Unprintable characters are
  no longer allowed in names in the API (paths and path parameters), with an
  extra restriction on whitespace characters. Allowed characters are those
  that are considered printable by Unicode plus spaces.

FEATURES:

- Transit Backup/Restore: The `transit` backend now supports a backup
  operation that can export a given key, including all key versions and
  configuration, as well as a restore operation allowing import into another
  Vault.
- gRPC Database Plugins: Database plugins now use gRPC for transport,
  allowing them to be written in other languages.
- Nomad Secret Backend: Nomad ACL tokens can now be generated and revoked
  using Vault.
- TLS Cert Auth Backend Improvements: The `cert` auth backend can now
  match against custom certificate extensions via exact or glob matching, and
  additionally supports max_ttl and periodic token toggles.

IMPROVEMENTS:

- auth/cert: Support custom certificate constraints
- auth/cert: Support setting `max_ttl` and `period`
- audit/file: Setting a file mode of `0000` will now disable Vault from
  automatically `chmod`ing the log file
- auth/github: The legacy MFA system can now be used with the GitHub auth
  backend
- auth/okta: The legacy MFA system can now be used with the Okta auth backend
- auth/token: `allowed_policies` and `disallowed_policies` can now be specified
  as a comma-separated string or an array of strings
- command/server: The log level can now be specified with `VAULT_LOG_LEVEL`
- core: Period values from auth backends will now be checked and applied to the
  TTL value directly by core on login and renewal requests
- database/mongodb: Add optional `write_concern` parameter, which can be set
  during database configuration. This establishes a session-wide write
  concern for the lifecycle of the mount
- http: Request path containing non-printable characters will return 400 - Bad
  Request
- mfa/okta: Filter a given email address as a login filter, allowing operation
  when login email and account email are different
- plugins: Make Vault more resilient when unsealing when plugins are
  unavailable
- secret/pki: `allowed_domains` and `key_usage` can now be specified
  as a comma-separated string or an array of strings
- secret/ssh: Allow 4096-bit keys to be used in dynamic key method
- secret/consul: The Consul secret backend now uses the value of `lease` set
  on the role, if set, when renewing a secret.
- storage/mysql: Don't attempt database creation if it exists, which can help
  under certain permissions constraints

BUG FIXES:

- api/status (enterprise): Fix status reporting when using an auto seal
- auth/approle: Fix case-sensitive/insensitive comparison issue
- auth/cert: Return `allowed_names` on role read
- auth/ldap: Fix incorrect control information being sent
- core: Fix seal status reporting when using an autoseal
- core: Add creation path to wrap info for a control group token
- core: Fix potential panic that could occur using plugins when a node
  transitioned from active to standby
- core: Fix memory ballooning when a connection would connect to the cluster
  port and then go away -- redux!
- core: Replace recursive token revocation logic with depth-first logic, which
  can avoid hitting stack depth limits in extreme cases
- core: When doing a read on configured audited-headers, properly handle case
  insensitivity
- core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable
- database/mysql: Allow the creation statement to use commands that are not yet
  supported by the prepare statement protocol
- plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference`

Next | Query returned 29 messages, browsing 1 to 10 | Previous